AWS Certificate Manager

Welcome to issue #5 of the “AWS services shorts”, In each issue, I present to you an AWS service and explore what its strengths and weaknesses are, discover some use cases, and finally what the most common mistakes people are making with it.

Today’s issue is about AWS Certificate Manager!

If you want you can watch it on YouTube

---

Introduction

AWS Certificate Manager (ACM) simplifies the provisioning, managing, and deploying SSL/TLS certificates for use with AWS services.

Main Purpose

AWS Certificate Manager was designed to ease the process of managing SSL/TLS certificates for applications running on AWS. Before ACM, managing certificates could be a labor-intensive and error-prone process involving manual steps, regular renewals, and dealing with different certificate authorities.

Docs home: https://docs.aws.amazon.com/acm/

Features: https://aws.amazon.com/certificate-manager/features

FAQs: https://aws.amazon.com/certificate-manager/faqs 

---

Strengths

Automated Renewals 

ACM automatically renews certificates before they expire, ensuring that applications using ACM to manage certificates are always using valid certificates.

• https://docs.aws.amazon.com/acm/latest/userguide/managed-renewal.html 

Cost-Effectiveness  

With ACM, there is no additional charge for provisioning public SSL/TLS certificates, which can result in cost savings when compared to purchasing certificates from third-party providers.

• https://aws.amazon.com/certificate-manager/pricing 

Deep Integration with AWS Services 

ACM is natively integrated with other AWS services such as Amazon CloudFront, Elastic Load Balancing, and API Gateway, allowing for straightforward deployment of SSL/TLS certificates.

• https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html 

Managed Security 

The private keys for certificates managed by ACM are protected and never exposed, ensuring a high level of security for applications.

• https://docs.aws.amazon.com/acm/latest/userguide/security.html 

Support for Private Certificates 

When used together with AWS Private Certificate Authority (CA) it’s possible to create and manage private SSL/TLS certificates, providing a fully managed private CA service without the overhead of setting up an in-house CA.

• https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html 

• https://aws.amazon.com/private-ca/pricing/ 

---

Weaknesses

Limited Scope 

Certificates provided by ACM can only be used with specific AWS services and can't be exported for use elsewhere.

Only certificates created with AWS Private CA (paid service) can be exported.

• https://docs.aws.amazon.com/acm/latest/userguide/acm-services.html 

• https://docs.aws.amazon.com/acm/latest/userguide/export-private.html 

No Multi-region Support 

ACM certificates must be requested in each region separately where they are intended to be used.

• https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html 

---

Use Cases

Web Applications on AWS 

For web applications hosted on AWS, especially those using Amazon CloudFront or Elastic Load Balancing, ACM provides an easy way to attach SSL/TLS certificates to the application.

• https://docs.aws.amazon.com/acm/latest/userguide/domain-ownership-validation.html 

• https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html 

• https://repost.aws/knowledge-center/associate-acm-certificate-alb-nlb 

• https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html 

API Security 

For APIs hosted on Amazon API Gateway, ACM can be used to handle SSL/TLS termination.

• https://aws.amazon.com/blogs/security/use-acm-private-ca-for-amazon-api-gateway-mutual-tls/ 

Internal Communications 

With AWS Private CA, companies can create certificates to secure communications between private/internal servers, applications, and devices.

• https://docs.aws.amazon.com/privateca/latest/userguide/PcaWelcome.html 

Domain Validated Certificates 

Quickly provision domain-validated certificates for domains managed in Amazon Route 53.

• https://docs.aws.amazon.com/acm/latest/userguide/domain-ownership-validation.html 

---

Mistakes

Ignoring Regional Restrictions 

Not understanding the regional restrictions of ACM and trying to use a certificate across multiple regions. To use a certificate in CloudFront it must be provisioned in US East (N. Virginia).

• https://docs.aws.amazon.com/acm/latest/userguide/acm-regions.html 

Overlooking Resource Limits 

ACM has certain quotas and limits, like the number of certificates per account. Overlooking these can lead to unexpected roadblocks.

• https://docs.aws.amazon.com/acm/latest/userguide/acm-limits.html 

Misunderstanding the Limits of Public Certificates 

Assuming ACM public certificates can be used outside of the AWS ecosystem can lead to mistakes in application architecture.

Overlooking Private CAs for Internal Resources 

Only focusing on public certificates and overlooking the capabilities of AWS Private CA for internal resources can lead to missed security enhancements.

• https://docs.aws.amazon.com/privateca 

---

I hope you find this overview useful!

Did you like it? Too long? To short? Something is missing?

Please let me know with a comment! 🙏

Your feedback is truly precious to me 😊

---

Attributions:

• Icons from https://www.freepik.com

• Music by Sergii Pavkin from Pixabay